Responsible Disclosure of Odoo Security Vulnerabilities

Help us keep Odoo safe and secure!

Responsible Disclosure Policy

The safety of Odoo systems is very important to us (not only because we use Odoo internally), and we consider security problems with the highest priority. We do our best every day to protect Odoo users from known security threats, and we welcome all reports of security vulnerabilities discovered by our users and contributors.

We are committed to handle vulnerability reports with the greatest attention, provided that the following rules are respected.

Reporting an issue

Please share privately the details of your security vulnerability by emailing our Security Team at
. Make sure to include as much information as possible, including the detailed steps to reproduce the problem, the versions that are affected, the expected results and actual results, and any other information that might help us react faster and more efficiently. We tend to prefer text-based bug descriptions accompanied with a proof-of-concept script/exploit, rather than long videos.

Important note: we receive a majority of security reports that have little to no impact on the security of Odoo or Odoo Online, and we ultimately have to reject them. To avoid a disappointing experience when contacting us, please try to put together a
proof-of-concept attack and take a critical look at
what's really at risk. If the proposed attack scenario turns out
unrealistic, your report will probably be rejected. Also be sure to review our list of
non-qualifying issues below.

You may send this report from an anonymous email account, although we promise not to disclose your identity if you do not want us to.

You can also encrypt and verify messages to/from our security team with the GPG key linked above.

Incident Response Procedure

You privately share the details of the security vulnerability with our Security Team by reporting an issue (see above)

We acknowledge your submission and verify the vulnerability. Our first answer generally comes under 24/48h.

If the vulnerability is valid and in scope, we request a CVE ID and give it to you as soon as it is assigned.

We work on a correction in collaboration with you.

We write a detailed Security Advisory describing the issue, its impacts, possible workarounds and solution, and we ask you to review it

We privately broadcast the Security Advisory and the correction to stakeholders and customers with an Odoo Enterprise Contract

We give stakeholders and customers a reasonable delay to apply the correction, before disclosing it publicly (e.g. 2-3 weeks)

Rules

Exclusively test vulnerabilities on your own deployments, on demo.odoo.com, or on your own trial instances of Odoo Online

Never attempt to access or modify data that does not belong to you

Never attempt to execute denial of service attacks, or to compromise the reliability and integrity of services that do not belong to you

Do not use scanners or automated tools to find vulnerabilities, as their effects will violate the previous rules

Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against anyone or any system

Do not publicly disclose vulnerabilities without our prior consent (see also the
Disclosure Procedure above). During the non-disclosure period you are authorized to use/test any correction we've provided, as long as no emphasis is put on that correction and it is not published in the form of a security report (i.e. using it on production servers is fine).

In return:

We will not initiate legal action against you if you followed the rules

We will process your report and respond as quickly as possible

We will provide a fix as soon as possible

We will keep you updated of the progress and disclosure steps (see also the Disclosure Procedure above)

We will work diligently with stakeholders and customers in order to help them restore the safety of their system

We will not publicly disclose your identity if you do not want to be credited for your discovery

Issues in default configuration of access control rules (e.g. ACLs and record rules) - please open regular bug reports instead

Attack scenarios that rely on a takeover of user email accounts (obviously)

If you have any doubt,
please ask us first!

Reward

If you report a new security issue that is confirmed to be critical (see the DO REPORT section), we will publicly thank you by adding your name to the Odoo Security Hall of Fame, on the right of this page.

Thank YOU!

We are extremely grateful to the following security researchers who have worked with us to further improve the security of Odoo and the Odoo Cloud platforms!